Anniversary of Notifiable Data Breaches scheme

Friday, 22 February 2019

One year on from its introduction in February 2018, the Notifiable Data Breaches scheme is driving increased awareness and action on personal information security, Australian Information Commissioner and Privacy Commissioner Angelene Falk said today.

“The first anniversary of the scheme is an opportunity for regulated entities to reflect on the causes of breaches that put personal data at risk and how they are managing their privacy obligations,” Ms Falk said.

“Most of the data breaches reported to us over the past year involved a human factor, like sending information to the wrong person or someone’s login credentials being compromised through phishing or other means and used in a cyber attack.

“We expect organisations and agencies to act on the risks highlighted by these reports ― whether or not they were directly affected ― and take steps to prevent a similar breach of Australians’ personal data.”

Under the scheme, Australian Government agencies and organisations must carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to or unauthorised disclosure of personal information that they hold.

If serious harm is likely to result, they must notify affected individuals so they can take action to address the possible consequences, such as changing passwords and checking their credit record. They must also notify the Office of the Australian Information Commissioner (OAIC).

From the scheme’s introduction on 22 February to the end of December 2018, 812 data breaches were notified.

“The growing number of data breaches notified to my Office is consistent with trends experienced by our counterparts overseas and indicates agencies and organisations are complying with their notification obligations,” Ms Falk said.

“Individuals are now receiving notices so they can take action to reduce their risk of harm, which also shows the scheme is working as intended.”

Ms Falk said the introduction of the scheme reflected the increasing global focus on data protection, including the European Union General Data Protection Regulation, which commenced in May 2018.